Free HTTPS using Let’s Encrypt in WordPress

The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. It has the advantage of extra security for you and your users and a higher rank in Google’s search results.

Before December 2015 to get HTTPS you had to pay for a TLS certificate, sometimes referred to as SSL which was its predecessor. Now you can now get HTTPS for free at letsencrypt.org using their automated certificate authority. I’ve recently made this change to my WordPress site, so if you want to make the change too, here’s my how-to-guide.

Getting your TLS certificate

There are two ways to get your TLS certificate from Let’s Encrypt – the easy and the hard way. But before you make any change you should always create a backup of your site incase you have to restore it.

Using Let’s Encrypt the easy way

The easiest way to use Let’s Encrypt is to use a web host which has it built into the service. I use Ngage hosting but there are plenty of others like SiteGround. Within the Ngage cPanel scroll down to the security section where you will find an icon for Let’s Encrypt. With just one click you can install a TLS certificate. SiteGround’s process is just as simple.

The certificate issued lasts for three months and should auto renew. I recommend adding a date in your diary to check after the first renewal to make sure it worked.

Using Let’s Encrypt the hard way

The hard way is to install the certificate yourself. However to do this you need root access to your server which unless you are paying a lot for your hosting most blogger sites won’t have this. Just ask your hosting provider if you are unsure.

How to setup WordPress to use HTTPS

Hopefully you have successfully installed your TLS certificate. Once you have this you can go into the WordPress editor and go to settings > general. Change your WordPress address and site address from HTTP to HTTPS and then scroll to the bottom of the page and select save changes.

Once you have made the change go to your website using the new HTTPS URL. If you are using Chrome you should have a little green padlock next to your website address.

You can check your Let’s Encrypt certificate has been successfully installed by left clicking on the padlock and the selecting the tab ‘Connection’. This should say ‘chrome verified that Let’s Encrypt Authority X1 issued this website’s certificate’. If it doesn’t you haven’t successfully installed the certificate.

If you don’t have the little green padlock on all your pages (which I didn’t when I made the change) it means some pages have a mixture of secure and insecure content on the page.

Normally it is something simple like you have an image on your site which is using http:// instead of https://. You need to look at any internal links and make sure you are using the relative path URLs or any absolute path URLs are using HTTPS, this includes all images, javascript and CSS files. However external links to other websites don’t need to be changed.

Relative paths

index.html

/graphics/image.png

/help/articles/how-do-i-set-up-a-webpage.html

Absolute paths

https://www.example.com

https://www.example.com/graphics/image.png

https://www.example.com/help/articles/how-do-i-set-up-a-webpage.html

If you see a red cross and a line through the HTTPS something really has gone wrong and I don’t have any advice except to google for help.

How to ensure your connection is always HTTPS

Hopefully you now have a green padlock across your site.

However a user can still get access to your old HTTP website. To get your site to automatically change any HTTP links to HTTPS you need to edit the .htaccess file.

In WordPress the .htaccess file controls amongst other things how your links are displayed.

The first step is to find your .htaccess file, which is easier said than done. Normally it is in the folder public_html which you need to access via your website hosts file manager within the cPanel or via SFTP.

The file is hidden so you will need to change the settings to show hidden files. You can find more tips on finding .htaccess on wpbeginner.

Once you have found it make a copy just in case the changes you make don’t work.

To force the site to remain in HTTPS you need to add the following code to your .htaccess file. It is important not to include the code between # BEGIN WordPress and # END WordPress. If you do WordPress may overwrite your custom .htaccess rules.